DEF20CON203320-20Adversary20Village20-20Seongsu20Park20-20Blurred-_scTIk12.pdf (5 MB)

Seongsu Park’s DEF CON material examines how North Korean cyber operations have evolved from broad umbrella labels into multiple specialized clusters with overlapping tools, infrastructure, and mission sets. The slides describe Lazarus-linked history, Kimsuky expansion, and operational specialization across financial crime, espionage, and intelligence collection, arguing that TTP-based clustering is needed for more accurate attribution. One case highlights PEBBLEDASH activity where Lazarus-linked malware traits appeared alongside Kimsuky-associated C2 infrastructure, including address.linkedin.p-e[.]kr and phishing infrastructure using shortened URLs and naverdomain-themed domains. The material also details post-exploitation behaviors such as PowerShell command execution, HazyLoad proxy use, Ngrok tunneling, RDP account creation, and Chrome Remote Desktop installation, showing why full-chain analysis matters when DPRK groups share or reuse tools.